“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state sponsored organizations, global terrorist networks, and other criminal enterprises…”
GOV. CUOMO’S PRESS RELEASE
Effective March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. August 28, 2017 marks the deadline for implementation.See more key dates of the regulation here.
New York has recently launched a Frequently Asked Questions page concerning 23 NYCRR Part 500.
A “Covered Entity” means any Person operating under or required to operate under a license, registration, charter, certificate,
permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. [23 NYCRR
Overview of 23 NYCRR Part 500
A. Each Covered Entity is required to establish and maintain a written cybersecurity program designed to protect the confidentiality, integrity, and availability of the Covered Entity’s Information Systems and the Nonpublic Information therein. (500.02)
B. Each Covered Entity must adopt and maintain a written cybersecurity policy which contains processes and procedures for data governance and classification, access controls and identity management, business continuity and disaster recovery, systems operation and availability concerns, security, monitoring, quality assurance, privacy, third-party service provider management, risk assessment and incident response. (500.03)
C. Appoint a Chief Information Security Officer (CISO) to oversee implementation and enforcement. (500.04)
D. Supervision and evaluation of cybersecurity program of Third Party Service Providers who have access to Covered Entity’s Information Systems and Nonpublic Information. (500.11)
E. Your Program needs to include a Risk Assessment, use of qualified cybersecurity personnel, timely destruction of unneeded information and an incident response plan. (500.09, 500.10, 500.13, 500.16)
F. Based on the Risk Assessment of your organization, your program may have to include different levels of annual penetration testing with vulnerability assessments, audit trail systems, access logs, review of access privileges, Multi-Factor Authentication for access, employee training and encryption of Nonpublic Information. (500.05, 500.06, 500.07, 500.12, 500.14, 500.15)
To assist Covered Entities with their reporting requirements, DFS has announced a new online portal.
Cybriant offers programs to assist with every aspect of New York’s regulation 23 NYCRR Part 500. Colorado Division of Security has announced regulations similar to New York. The cybersecurity procedures must include all of the following:
- An annual risk assessment that does not need to be conducted by an independent third party
- Secure email, including encryption and digital signatures for emails containing Confidential Personal Information
- Authentication of clients’ email instructions and employee access to electronic communication
- Disclosure to clients of the risks of using electronic communications.